Hello there,
NLA prevents users from connecting to RDP/RDS hosts if their passwords have expired or who have the “User must change password at first Logon” option enabled in their useraccountcontrol user attribute. You can disable NLA and see if you can change the password.
Change the permissions of the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc to allow anonymous to read the key. If the key doesn't exist, you may create it and then add the read permissions for the anonymous account.
You can also add a link to the password change form directly to the Remote Desktop WebAccess sign-in form. This will allow users to change their password at any time without waiting till it expires.
Here is a link that has some additional troubleshooting steps which you can try and see if helps in overcoming your issue
Password change for expired password failing for workgroup scenario https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/error-password-change-expired-password
---------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–